[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: Re: Public IP's on OPT
 Date:  Fri, 10 Dec 2004 10:30:44 -0500
Kev Latimer wrote:

> Jesse Guardiani wrote:
> 
>>Kev Latimer wrote:
>>
>>  
>>
>>>I'm even making an arse of replying to emails now, this really isn't a
>>>good day!
>>>
>>>As should have said:
>>>
>>>Josh - I didn't set any outbound NAT entries, OPT2 itself should (I
>>>think) only be seen but the m0n0 as it is purely to be an IPSEC
>>>endpoint, all the LAN traffic being routed up the tunnel.  That said, I
>>>did exactly as you explained below and still no luck.  Running 1.11 on a
>>>CF card on an Epia PD1000.
>>>
>>>Jesse - how did you get your OPT interface to respond to pings?  If I
>>>can get that bit right I think I'll stand a chance of kludging the rest
>>>together :)
>>>    
>>>
>>
>>Action....: Pass
>>Interface.: WAN
>>Protocol..: ICMP
>>Source....: Any
>>Source Rng: Any -> Any
>>Dest......: My WAN IP Address
>>Dest Rng..: Any -> Any
>>
>>I also have a rule allowing UDP 33435 -> 33524 to the same WAN IP. This
>>allows traceroutes.
>>
>>  
>>
> Is there any way at all to get an OPT interface to respond to anything
> on a public IP?  I've tried plugging it into a couple of ADSL routers on
> a number of different IP's and no matter what rules I put in place (that
> have the desired effect when applied to the WAN interface) the firewall
> logs still show all these pings, traceroutes and IPSec/ESP attempts
> being blocked.
> 
> I think I really need a definitive answer here - can I actually have
> multiple public IP's using OPT interfaces on a m0n0.  I'm tearing my
> hair out here, I cannot see what I'm doing wrong!

Yes, you can. I'm doing it right now on my OPT1 interface. Prerequisites:

1.) Your ISP has to route a subnet or multiple IPs to you.
2.) You need to use either 1:1 NAT or turn on Advanced Outbound NAT, per
    this FAQ:
        http://m0n0.ch/wall/docbook/faq-ipalias.html

However, that doesn't have anything to do with whether or not you're
allowing ICMP ping packets or ANY OTHER PACKETS to your OPT1 interface.
Remember, m0n0wall usually denies traffic by default. You have to
explicitly allow traffic to and from your OPT1 interface. Here are my
rules for that:


  <rule>
   <type>pass</type>
   <interface>wan</interface>
   <source>
    <any/>
   </source>
   <destination>
    <network>opt1</network>
   </destination>
   <descr>WAN -&gt; Public</descr>
  </rule>


  <rule>
   <type>pass</type>
   <interface>opt1</interface>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
   </destination>
   <descr>Public -&gt; any</descr>
  </rule>


-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net